NSE4_FGT-6.4 | Rebirth Fortinet NSE 4 - FortiOS 6.4 NSE4_FGT-6.4 Sample Question

NEW QUESTION 1
Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

• A. FortiGate points the collector agent to use a remote LDAP server.
• B. FortiGate uses the AD server as the collector agent.
• C. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
• D. FortiGate queries AD by using the LDAP to retrieve user group information.

Answer: CD

NEW QUESTION 2
Which CLI command will display sessions both from client to the proxy and from the proxy to the servers?

• A. diagnose wad session list
• B. diagnose wad session list | grep hook-pre&&hook-out
• C. diagnose wad session list | grep hook=pre&&hook=out
• D. diagnose wad session list | grep "hook=pre"&"hook=out"

Answer: D

NEW QUESTION 3
Which statement about the policy ID number of a firewall policy is true? D18912E1457D5D1DDCBD40AB3BF70D5D

• A. It is required to modify a firewall policy using the CLI.
• B. It represents the number of objects used in the firewall policy.
• C. It changes when firewall policies are reordered.
• D. It defines the order in which rules are processed.

Answer: A

NEW QUESTION 4
An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

• A. Policy lookup will be disabled.
• B. By Sequence view will be disabled.
• C. Search option will be disabled
• D. Interface Pair view will be disabled.

Answer: A

NEW QUESTION 5
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
*All traffic must be routed through the primary tunnel when both tunnels are up
*The secondary tunnel must be used only if the primary tunnel goes down
*In addition, FortiGate should be able to detect a dead tunnel to speed up tunnelfailover
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

• A. Enable Dead Peer Detection.
• B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
• C. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
• D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the state route for the secondary tunnel.

Answer: A

NEW QUESTION 6
NGFW mode allows policy-based configuration for most inspection rules. Which security profile’s configuration does not change when you enable policy-based inspection?

• A. Web filtering
• B. Antivirus
• C. Web proxy
• D. Application control

Answer: B

NEW QUESTION 7
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two)

• A. Lookup is done on the first packet from the session originator
• B. Lookup is done on the last packet sent from the responder
• C. Lookup is done on every packet, regardless of direction
• D. Lookup is done on the trust reply packet from the responder

Answer: AD

NEW QUESTION 8
Which statement regarding the firewall policy authentication timeout is true?

• A. It is an idle timeou
• B. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.
• C. It is a hard timeou
• D. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.
• E. It is an idle timeou
• F. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.
• G. It is a hard timeou
• H. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

Answer: A

NEW QUESTION 9
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.)

• A. Source IP
• B. Spillover
• C. Volume
• D. Session

Answer: CD

NEW QUESTION 10
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)

• A. Traffic to botnetservers
• B. Traffic to inappropriate web sites
• C. Server information disclosure attacks
• D. Credit card data leaks
• E. SQL injection attacks

Answer: ACE

NEW QUESTION 11
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

• A. The firmware image must be manually uploaded to each FortiGate.
• B. Only secondary FortiGate devices are rebooted.
• C. Uninterruptable upgrade is enabled by default.
• D. Traffic load balancing is temporally disabled while upgrading the firmware.

Answer: CD

NEW QUESTION 12
Refer to the web filter raw logs.

Based on the raw logs shown in the exhibit, which statement is correct?

• A. Social networking web filter category is configured with the action set to authenticate.
• B. The action on firewall policy ID 1 is set to warning.
• C. Access to the social networking web filter category was explicitly blocked to all users.
• D. The name of the firewall policy is all_users_web.

Answer: D

NEW QUESTION 13
Which statement about the IP authentication header (AH) used by IPsec is true?

• A. AH does not provide any data integrity or encryption.
• B. AH does not support perfect forward secrecy.
• C. AH provides data integrity bur no encryption.
• D. AH provides strong data integrity but weak encryption.

Answer: C

NEW QUESTION 14
Refer to the exhibit.

Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem?

• A. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• B. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1.
• C. The first reply packet for Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
• D. The first packet sent from Student failed the RPF check.This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer: C

NEW QUESTION 15
Refer to the exhibit.

The global settings on a FortiGate device must be changed to align with company security policies. What does the Administrator account need to access the FortiGate global settings?

• A. Change password
• B. Enable restrict access to trusted hosts
• C. Change Administrator profile
• D. Enable two-factor authentication

Answer: D

NEW QUESTION 16
......